Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Apps And Identities Initial Targets In 86% Of Breaches
3%
11%
33%
53%
O t her ( VP N ,P oS , i nf ra .)
P hysi ca l
U ser /I den ti t y
We b Ap pA tt ac ks
Stop web attacks
Fix vulnerabilities
Risk & compliance
What is the OWASP Top 10?
Top 10 is a broad consensus on the most critical web application security flaws
Most are very well known attack vectors that persistCoverage is a mandatory minimum for some regulatory requirements such as PCI DSS
Here’s the good news.
WAFTechnology
WAFs provide coverage for OWASP Top 10
WAF offers protection against application
attacks
WAFs can be an alternative to code review
WAFs fix vulnerabilities promptly without
maintenance windows
WAFs don’t require access to source code
or developers
Non-API users
Self-selected useTech savvy consumers
InnovatorsDisruptors
Enterprise useBusiness partners
Distribution partnersSuppliers
Product integrationBusiness partnersProduct ecosystem
Tech-savvy consumers
Open Web APIs
B2B APIs Product APIs
Internal API
Enterprise Applications (custom, off-the-shelf, on premise, cloud) Products
Digital experience
MobileWeb
App-layer DDoS has increased by 43%
77% of web attacks start from botnets
3 Billion Credentials were reported stolen in 2016
Traditional WAF:
SSL/TLS InspectionSSL/TLS Inspection
ScriptingScripting
OWASP Top 10OWASP Top 10
Advanced WAF:
Malicious Bots
Credential Attacks
API Attacks
SSL/TLS Inspection
Scripting
OWASP Top 10
APPLICATION PROTECTION
ADVANCED WAF
APP-LAYER ENCRYPTION
BEHAVIORALDDOS
ANTI-BOT MOBILE SDK
PROACTIVEBOT DEFENSE
Automation
Half of Internet traffic comes from bots
30% is malicious
web attacks account takeover Vulnerability ScanningWeb Scraping
Denial of Service
Simple bots
Impersonating Bots
Bots with cookies / JS support
Bots that simulate browsers
target of the same automated attacks
needs mobile specific security
lack mature security capabilities
Figure Credit: Verizon 2017 Data Breach Investigations Report
Use Case - Account Takeover
Problem: • Criminals are performing
account takeover by stealing account credential via malware
Benefits: • Prevent the use of dumped
credential databases (credential stuffing)
• Prevent the theft of user credentials (credential harvesting)
• Protect mobile apps - Identify and pass only the desired mobile applications.
Solution: • App-level credential
encryption• Anti-bot mobile SDK• Credential Stuffing protection• Brute force protection
MobileA uthen tica tion P ro tec tion
C reden tia l E ncryp tion
Hacker
A nti-bo tM ob ile S D K
Bots D ata C en te r In te rconnect C loud
ATO P ro tec tion
Userscredentials
© F5 Networks, Inc 22
DDoS 101 – The TargetsVolumetric Attacks on Bandwidth
Attacks on RAM. Firewall state tables.
Targeted Attacks. Bugs and flaws in stack.
Attacks on Server stack. Low and Slow.
Attacks on crypto capacity. SSL floods.
Attacks on CPU. IPS Signature Scanning.
Use Case - DDoS Attacks
D D O S M anaged S erv ice
Hacker BotsS ilve rline C loud S erv ices
Users
Layer 3 D D O S P ro tec tion
O n-P rem ises
Layer 7 D D O S P ro tec tion
Core
DDoS Hybrid Defender
Advanced WAF
Users
O ption : conso lida te in to a s ing le layer 3 -7 so lu tion
Silverline Always
On
under attack
Communication(signaling)
Problem: • DDOS attacks are growing, but your
resources are not• DDoS mitigation time is slow due to
manual initiation and difficult policy tuning
Benefits: • On-premise hardware acts immediately
and automatically to mitigate attacks.• Silverline cloud services minimizes the
risk of larger attacks crippling your site or applications
Solution: • Always-on protection with on-premises
hardware• Mitigate with layered defense strategy and
cloud services • F5 SOC monitoring with portal• Protect against all attacks with granular
control• Eliminate time-consuming manual
tuning with machine learning
F5 Advanced WAFProtect against bots, credential attacks, and app-layer DoS
Key Benefits:• Protects Web and mobile apps from
exploits, bots, theft, app-layer DoS• Prevent malware from stealing data
and credentials
• Prevent Brute Force attacks that use stolen credentials
• Eliminate time-consuming manual tuning for App-layer DoS protection
Defend against bots• Proactive bot defense• Anti-bot mobile SDK
• Client and server monitoring
Protect apps from DoS• Auto-tuning• Behavioral analytics
• Dynamic signatures
Prevent Account Takeover• App-level encryption• Mobile app tampering
• Brute Force protection
Mobile
B ot M itiga tionC reden tia l P ro tec tion
A pp-Layer D oS
Hacker
A nti-bo tM ob ile S D K
Bots
F 5 A dvanced W A F
Userscredentials
Maximizing Value From Your WAFTHE CHANGING DYNAMICS OF APPLICATION SECURITY
Vulnerabilities
& Exploits
Automated
Attacks
Mobile
Applications
Credential
& Data Theft
Low & Slow
DDoS
API
Vulnerabilities
!
DataSafe
Encryption
Credential
Stuffing
Web Application
Firewall
Proactive
Bot Defense
Behavioral
Analytics
Threat
Campaigns
Anti-Bot
Mobile SDK
API Protocol
Security
Device
Identification
Threat Intelligence Feeds
Solution
Deployment
Advanced WAF
Standalone BIG-IP
iSeriesVIPRION VE
Cloud
LTM/GBB/ASMUpgrade
A dvanced W A F LaunchP ad(U pgrade on ly )
A dvanced W A F Ins ta lla tion fo r V IP R IO N
A dvanced W A F Ins ta lla tion fo r B IG -IP
AWS Azure Google
ManagedServices
F5 Silverline
W A F M anaged W A F E xpress D D oS P ro tec tion
F 5 M anaged R u les fo r
AW S W A F
A dvanced W A F Ins ta lla tion fo r B IG -IP
Bot Defense DataSafe Encryption Behavioral DoS
LicensingE nterp rise P er-A pp-V EB Y O LC loud
M arke tp laceC loud L icens ing
P rogram
Anti-BotMobile
Professional Services
A ppdom e
Apple
Android
A dd-on
SDK
Fusion
Threat Intel IPIn te lligence
C reden tia l S tu ffing
T hrea t C am pa igns
D ev iceIden tifica tion
D D oS H ybrid D e fender
A ccess P o licy M anager
B IG -IQ
DataSafeAdd-on
Complementary Solutions
W ebS afe M ob ileS a fe
F 5 F raud S erv ices
CODING
WAF(W E B A P P LIC AT IO N F IR E W A LL)
E N T E R P R IS E P R O T E C T IO NR E G U L ATO RY C O M P L IA N C E
VA / D A S T IN T E G R AT IO N SM O S T E F F E C T IV E O W A S P 10
V O L U M E T R IC M IT IG AT IO N
RASP (R un-tim e A pp lica tion S e lf P ro tec tion )
A P P P R O T E C T IO N IN S TA N C EP O S T W A F, IP S , ID S
IN S ID E A P P O R S E R V E RA P P L A N G U A G E D E P E N D E N TU P TO 10% P E R F. R E D U C T IO N
BUG FIXES IPS BOT PROTECTION
SAST(S TAT IC A P P LIC AT IO N S E C U R IT Y
T E S T IN G )
DAST(D Y N A M IC A P P LIC AT IO N S E C U R IT Y
T E S T IN G )
IAST(IN T E R A C T IV E A P P LIC AT IO N
S E C U R IT Y T E S T IN G )
INLINE HOST
MITIGATE
VULNERABILTYASSESMENT
DEVELOPMENT PRODUCTION
APPDEV